HttpSignaturePlug: accept standard (request-target)

The (request-target) used by Pleroma is non-standard, but many HTTP signature implementations do it this way due to a misinterpretation of the draft 06 of HTTP signatures: "path" was interpreted as not having the query, though later examples show that it must be the absolute path with the query part of the URL as well. This behavior is kept to make sure most software (Pleroma itself, Mastodon, and probably others) do not break, but Pleroma now accepts signatures for a (request-target) containing the query, as expected by many HTTP signature libraries, and clarified in the draft 11 of HTTP signatures. Additionally, the new draft renamed (request-target) to @request-target. We now support both for incoming requests' signatures.
2022-08-17 03:30:02 +02:00 · 2022-08-17 03:30:02 +02:00 · d991a3eee0
parent f32e288711
commit d991a3eee0
1 changed files with 1 additions and 1 deletions
--- a/lib/pleroma/web/plugs/http_signature_plug.ex
+++ b/lib/pleroma/web/plugs/http_signature_plug.ex
@ -64,7 +64,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
    if has_signature_header?(conn) do
      # set (request-target) header to the appropriate value
      # we also replace the digest header with the one we computed
-      possible_paths = route_aliases(conn) ++ [conn.request_path]
+      possible_paths = route_aliases(conn) ++ [conn.request_path, conn.request_path <> "?#{conn.query_string}"]
      assign_valid_signature_on_route_aliases(conn, possible_paths)
    else
      Logger.debug("No signature header!")